@kirrosh/zond 0.26.0 → 0.27.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (261) hide show
  1. package/CHANGELOG.md +59 -0
  2. package/README.md +22 -21
  3. package/bin/zond.mjs +23 -0
  4. package/package.json +13 -16
  5. package/scripts/npm/postinstall.mjs +76 -0
  6. package/src/CLAUDE.md +0 -112
  7. package/src/bun-types.d.ts +0 -5
  8. package/src/cli/argv.ts +0 -122
  9. package/src/cli/commands/add-api.ts +0 -146
  10. package/src/cli/commands/api/annotate/idempotency.ts +0 -59
  11. package/src/cli/commands/api/annotate/index.ts +0 -880
  12. package/src/cli/commands/api/annotate/lifecycle.ts +0 -74
  13. package/src/cli/commands/api/annotate/overlay.ts +0 -206
  14. package/src/cli/commands/api/annotate/pagination.ts +0 -64
  15. package/src/cli/commands/api/annotate/prompts.ts +0 -220
  16. package/src/cli/commands/api/annotate/readback.ts +0 -58
  17. package/src/cli/commands/api/annotate/resources.ts +0 -91
  18. package/src/cli/commands/api/annotate/seed-bodies.ts +0 -61
  19. package/src/cli/commands/audit.ts +0 -786
  20. package/src/cli/commands/catalog.ts +0 -97
  21. package/src/cli/commands/check.ts +0 -361
  22. package/src/cli/commands/checks.ts +0 -1072
  23. package/src/cli/commands/ci-init.ts +0 -223
  24. package/src/cli/commands/clean.ts +0 -212
  25. package/src/cli/commands/cleanup.ts +0 -236
  26. package/src/cli/commands/completions.ts +0 -192
  27. package/src/cli/commands/coverage.ts +0 -872
  28. package/src/cli/commands/db.ts +0 -611
  29. package/src/cli/commands/describe.ts +0 -120
  30. package/src/cli/commands/discover.ts +0 -1356
  31. package/src/cli/commands/doctor.ts +0 -661
  32. package/src/cli/commands/fixtures.ts +0 -402
  33. package/src/cli/commands/generate.ts +0 -577
  34. package/src/cli/commands/init/agents-md.ts +0 -61
  35. package/src/cli/commands/init/bootstrap.ts +0 -111
  36. package/src/cli/commands/init/index.ts +0 -244
  37. package/src/cli/commands/init/skills.ts +0 -141
  38. package/src/cli/commands/init/templates/agents.md +0 -86
  39. package/src/cli/commands/init/templates/markdown.d.ts +0 -4
  40. package/src/cli/commands/init/templates/skills/warm-up-target.md +0 -122
  41. package/src/cli/commands/init/templates/skills/zond-checks.md +0 -621
  42. package/src/cli/commands/init/templates/skills/zond-seed.md +0 -114
  43. package/src/cli/commands/init/templates/skills/zond-triage.md +0 -272
  44. package/src/cli/commands/init/templates/skills/zond.md +0 -861
  45. package/src/cli/commands/init/templates/zond-config.yml +0 -14
  46. package/src/cli/commands/prepare-fixtures.ts +0 -97
  47. package/src/cli/commands/probe/_seed-bodies.ts +0 -52
  48. package/src/cli/commands/probe/mass-assignment.ts +0 -594
  49. package/src/cli/commands/probe/security.ts +0 -537
  50. package/src/cli/commands/probe/static.ts +0 -255
  51. package/src/cli/commands/probe/webhooks.ts +0 -163
  52. package/src/cli/commands/probe.ts +0 -535
  53. package/src/cli/commands/reference.ts +0 -87
  54. package/src/cli/commands/refresh-api.ts +0 -227
  55. package/src/cli/commands/remove-api.ts +0 -150
  56. package/src/cli/commands/report-bundle.ts +0 -310
  57. package/src/cli/commands/report.ts +0 -241
  58. package/src/cli/commands/request.ts +0 -548
  59. package/src/cli/commands/run.ts +0 -1142
  60. package/src/cli/commands/schema-from-runs.ts +0 -128
  61. package/src/cli/commands/secrets.ts +0 -133
  62. package/src/cli/commands/session.ts +0 -244
  63. package/src/cli/commands/use.ts +0 -74
  64. package/src/cli/index.ts +0 -55
  65. package/src/cli/json-envelope.ts +0 -108
  66. package/src/cli/json-schemas.ts +0 -314
  67. package/src/cli/output.ts +0 -40
  68. package/src/cli/program.ts +0 -219
  69. package/src/cli/resolve.ts +0 -105
  70. package/src/cli/runtime.ts +0 -7
  71. package/src/cli/safe-live.ts +0 -24
  72. package/src/cli/status-filter.ts +0 -114
  73. package/src/cli/util/api-context.ts +0 -85
  74. package/src/cli/version.ts +0 -8
  75. package/src/core/audit/persist.ts +0 -183
  76. package/src/core/checks/budget.ts +0 -59
  77. package/src/core/checks/checks/_crud-helpers.ts +0 -133
  78. package/src/core/checks/checks/_negative_mutator.ts +0 -133
  79. package/src/core/checks/checks/_readback-helpers.ts +0 -133
  80. package/src/core/checks/checks/content_type_conformance.ts +0 -39
  81. package/src/core/checks/checks/cross_call_references.ts +0 -147
  82. package/src/core/checks/checks/cursor_boundary_fuzzing.ts +0 -219
  83. package/src/core/checks/checks/ensure_resource_availability.ts +0 -62
  84. package/src/core/checks/checks/idempotency_replay.ts +0 -242
  85. package/src/core/checks/checks/ignored_auth.ts +0 -254
  86. package/src/core/checks/checks/index.ts +0 -68
  87. package/src/core/checks/checks/lifecycle_transitions.ts +0 -416
  88. package/src/core/checks/checks/missing_required_header.ts +0 -40
  89. package/src/core/checks/checks/negative_data_rejection.ts +0 -148
  90. package/src/core/checks/checks/not_a_server_error.ts +0 -35
  91. package/src/core/checks/checks/open_cors_on_sensitive.ts +0 -160
  92. package/src/core/checks/checks/pagination_invariants.ts +0 -419
  93. package/src/core/checks/checks/positive_data_acceptance.ts +0 -33
  94. package/src/core/checks/checks/rate_limit_headers_absent.ts +0 -77
  95. package/src/core/checks/checks/response_headers_conformance.ts +0 -74
  96. package/src/core/checks/checks/response_schema_conformance.ts +0 -30
  97. package/src/core/checks/checks/status_code_conformance.ts +0 -132
  98. package/src/core/checks/checks/unsupported_method.ts +0 -63
  99. package/src/core/checks/checks/use_after_free.ts +0 -78
  100. package/src/core/checks/index.ts +0 -30
  101. package/src/core/checks/mode.ts +0 -82
  102. package/src/core/checks/recommended-action.ts +0 -68
  103. package/src/core/checks/registry.ts +0 -78
  104. package/src/core/checks/runner.ts +0 -1461
  105. package/src/core/checks/sarif.ts +0 -230
  106. package/src/core/checks/spec-findings.ts +0 -308
  107. package/src/core/checks/stateful.ts +0 -121
  108. package/src/core/checks/types.ts +0 -305
  109. package/src/core/checks/zond-extensions.ts +0 -73
  110. package/src/core/classifier/recommended-action.ts +0 -251
  111. package/src/core/context/current.ts +0 -51
  112. package/src/core/context/session.ts +0 -78
  113. package/src/core/coverage/loader.ts +0 -216
  114. package/src/core/coverage/reasons.ts +0 -300
  115. package/src/core/diagnostics/db-analysis.ts +0 -666
  116. package/src/core/diagnostics/failure-class.ts +0 -140
  117. package/src/core/diagnostics/failure-hints.ts +0 -112
  118. package/src/core/diagnostics/spec-pointer.ts +0 -99
  119. package/src/core/diagnostics/suggested-fixes.ts +0 -155
  120. package/src/core/exporter/case-study/index.ts +0 -270
  121. package/src/core/exporter/curl.ts +0 -40
  122. package/src/core/exporter/exporter.ts +0 -48
  123. package/src/core/exporter/html-report/escape.ts +0 -24
  124. package/src/core/exporter/html-report/index.ts +0 -479
  125. package/src/core/exporter/html-report/script.ts +0 -100
  126. package/src/core/exporter/html-report/styles.ts +0 -408
  127. package/src/core/generator/catalog-builder.ts +0 -179
  128. package/src/core/generator/chunker.ts +0 -78
  129. package/src/core/generator/coverage-phase.ts +0 -0
  130. package/src/core/generator/coverage-scanner.ts +0 -87
  131. package/src/core/generator/data-factory.ts +0 -759
  132. package/src/core/generator/describe.ts +0 -302
  133. package/src/core/generator/endpoint-warnings.ts +0 -52
  134. package/src/core/generator/fixtures-builder.ts +0 -332
  135. package/src/core/generator/index.ts +0 -14
  136. package/src/core/generator/openapi-reader.ts +0 -297
  137. package/src/core/generator/path-param-disambig.ts +0 -140
  138. package/src/core/generator/resources-builder.ts +0 -898
  139. package/src/core/generator/schema-utils.ts +0 -112
  140. package/src/core/generator/serializer.ts +0 -343
  141. package/src/core/generator/suite-generator.ts +0 -1301
  142. package/src/core/generator/types.ts +0 -63
  143. package/src/core/identity/identity-file.ts +0 -0
  144. package/src/core/lint/affects.ts +0 -28
  145. package/src/core/lint/config.ts +0 -96
  146. package/src/core/lint/format.ts +0 -42
  147. package/src/core/lint/index.ts +0 -94
  148. package/src/core/lint/reporter.ts +0 -128
  149. package/src/core/lint/rules/consistency.ts +0 -158
  150. package/src/core/lint/rules/heuristics.ts +0 -97
  151. package/src/core/lint/rules/strictness.ts +0 -109
  152. package/src/core/lint/types.ts +0 -96
  153. package/src/core/lint/walker.ts +0 -248
  154. package/src/core/meta/meta-store.ts +0 -11
  155. package/src/core/output/README.md +0 -73
  156. package/src/core/output/index.ts +0 -13
  157. package/src/core/output/run.ts +0 -91
  158. package/src/core/output/types.ts +0 -122
  159. package/src/core/parser/dynamic-values.ts +0 -160
  160. package/src/core/parser/env-interpolation.ts +0 -104
  161. package/src/core/parser/filter.ts +0 -97
  162. package/src/core/parser/schema.ts +0 -359
  163. package/src/core/parser/types.ts +0 -117
  164. package/src/core/parser/variables.ts +0 -0
  165. package/src/core/parser/yaml-parser.ts +0 -181
  166. package/src/core/probe/bootstrap.ts +0 -34
  167. package/src/core/probe/dry-run-envelope.ts +0 -61
  168. package/src/core/probe/mass-assignment/classify.ts +0 -175
  169. package/src/core/probe/mass-assignment/cleanup.ts +0 -52
  170. package/src/core/probe/mass-assignment/digest.ts +0 -114
  171. package/src/core/probe/mass-assignment/orchestrator.ts +0 -459
  172. package/src/core/probe/mass-assignment/regression.ts +0 -141
  173. package/src/core/probe/mass-assignment/suspects.ts +0 -92
  174. package/src/core/probe/mass-assignment/types.ts +0 -135
  175. package/src/core/probe/mass-assignment-probe-class.ts +0 -198
  176. package/src/core/probe/mass-assignment-probe.ts +0 -27
  177. package/src/core/probe/mass-assignment-template.ts +0 -240
  178. package/src/core/probe/method-probe.ts +0 -164
  179. package/src/core/probe/method-shared.ts +0 -69
  180. package/src/core/probe/negative-probe.ts +0 -691
  181. package/src/core/probe/orphan-tracker.ts +0 -188
  182. package/src/core/probe/path-discovery.ts +0 -439
  183. package/src/core/probe/probe-harness.ts +0 -119
  184. package/src/core/probe/registry.ts +0 -89
  185. package/src/core/probe/runner.ts +0 -136
  186. package/src/core/probe/security/baseline.ts +0 -174
  187. package/src/core/probe/security/classify.ts +0 -341
  188. package/src/core/probe/security/cleanup.ts +0 -125
  189. package/src/core/probe/security/detectors.ts +0 -71
  190. package/src/core/probe/security/digest.ts +0 -104
  191. package/src/core/probe/security/orchestrator.ts +0 -398
  192. package/src/core/probe/security/regression.ts +0 -103
  193. package/src/core/probe/security/types.ts +0 -151
  194. package/src/core/probe/security-probe-class.ts +0 -207
  195. package/src/core/probe/security-probe.ts +0 -32
  196. package/src/core/probe/shared.ts +0 -531
  197. package/src/core/probe/static-probe-class.ts +0 -125
  198. package/src/core/probe/types.ts +0 -165
  199. package/src/core/probe/verdict-aggregator.ts +0 -33
  200. package/src/core/probe/webhooks-probe.ts +0 -282
  201. package/src/core/reporter/console.ts +0 -240
  202. package/src/core/reporter/index.ts +0 -22
  203. package/src/core/reporter/json.ts +0 -22
  204. package/src/core/reporter/junit.ts +0 -93
  205. package/src/core/reporter/ndjson.ts +0 -37
  206. package/src/core/reporter/types.ts +0 -15
  207. package/src/core/runner/assertions.ts +0 -383
  208. package/src/core/runner/async-pool.ts +0 -108
  209. package/src/core/runner/auth-path.ts +0 -8
  210. package/src/core/runner/ci-context.ts +0 -72
  211. package/src/core/runner/executor.ts +0 -652
  212. package/src/core/runner/expr-eval.ts +0 -41
  213. package/src/core/runner/form-encode.ts +0 -41
  214. package/src/core/runner/http-client.ts +0 -224
  215. package/src/core/runner/learn-drift.ts +0 -293
  216. package/src/core/runner/preflight-vars.ts +0 -153
  217. package/src/core/runner/progress-tracker.ts +0 -73
  218. package/src/core/runner/rate-limiter.ts +0 -185
  219. package/src/core/runner/run-kind.ts +0 -45
  220. package/src/core/runner/schema-validator.ts +0 -308
  221. package/src/core/runner/send-request.ts +0 -232
  222. package/src/core/runner/transforms.ts +0 -65
  223. package/src/core/runner/types.ts +0 -94
  224. package/src/core/secrets/registry.ts +0 -164
  225. package/src/core/secrets/secrets-file.ts +0 -115
  226. package/src/core/selectors/operation-filter.ts +0 -144
  227. package/src/core/setup-api.ts +0 -590
  228. package/src/core/severity/category.ts +0 -94
  229. package/src/core/severity/index.ts +0 -58
  230. package/src/core/spec/infer-schema.ts +0 -102
  231. package/src/core/spec/layers.ts +0 -154
  232. package/src/core/spec/merge-specs.ts +0 -156
  233. package/src/core/spec/schema-from-runs.ts +0 -117
  234. package/src/core/spec/schema-overlay.ts +0 -130
  235. package/src/core/util/ajv.ts +0 -13
  236. package/src/core/util/format-eta.ts +0 -21
  237. package/src/core/util/headers.ts +0 -9
  238. package/src/core/util/url.ts +0 -24
  239. package/src/core/utils.ts +0 -13
  240. package/src/core/workspace/config.ts +0 -129
  241. package/src/core/workspace/fixture-gap-report.ts +0 -84
  242. package/src/core/workspace/fixture-gaps.ts +0 -71
  243. package/src/core/workspace/manifest.ts +0 -283
  244. package/src/core/workspace/output-rotation.ts +0 -62
  245. package/src/core/workspace/root.ts +0 -96
  246. package/src/core/workspace/triage-path.ts +0 -87
  247. package/src/db/lint-runs.ts +0 -47
  248. package/src/db/migrate.ts +0 -128
  249. package/src/db/migrations/0001_run_kind.sql +0 -25
  250. package/src/db/migrations/0002_run_kind_request.sql +0 -59
  251. package/src/db/migrations/sql.d.ts +0 -4
  252. package/src/db/queries/collections.ts +0 -133
  253. package/src/db/queries/coverage.ts +0 -9
  254. package/src/db/queries/dashboard.ts +0 -59
  255. package/src/db/queries/results.ts +0 -216
  256. package/src/db/queries/runs.ts +0 -289
  257. package/src/db/queries/sessions.ts +0 -42
  258. package/src/db/queries/settings.ts +0 -28
  259. package/src/db/queries/types.ts +0 -172
  260. package/src/db/queries.ts +0 -75
  261. package/src/db/schema.ts +0 -298
@@ -1,140 +0,0 @@
1
- /**
2
- * TASK-101: failure classification — definitely_bug / likely_bug / quirk / env_issue.
3
- *
4
- * Goal: бэкендер за секунду видит «реально баг» vs «quirk зонда / probe
5
- * фолс-позитив». Чисто read-only классификация: не меняет статус step,
6
- * не влияет на pass/fail. Только tag-овая аналитика.
7
- */
8
-
9
- import type { StepResult, AssertionResult } from "../runner/types.ts";
10
- import type { SourceMetadata } from "../parser/types.ts";
11
-
12
- export type FailureClass =
13
- | "definitely_bug"
14
- | "likely_bug"
15
- | "quirk"
16
- | "env_issue"
17
- /** Step was skipped because an upstream step failed to produce a required
18
- * capture (or produced a tainted one). Not a failure on its own — render
19
- * collapsed under the root failure to avoid drowning the user. */
20
- | "cascade";
21
-
22
- export interface FailureClassification {
23
- failure_class: FailureClass;
24
- failure_class_reason: string;
25
- }
26
-
27
- function failedAssertionsOf(result: StepResult): AssertionResult[] {
28
- return result.assertions.filter((a) => !a.passed);
29
- }
30
-
31
- function ruleStartsWith(a: AssertionResult, prefix: string): boolean {
32
- return typeof a.rule === "string" && a.rule.startsWith(prefix);
33
- }
34
-
35
- function expectedStatusList(a: AssertionResult): number[] | null {
36
- if (Array.isArray(a.expected)) {
37
- const arr = a.expected.filter((v): v is number => typeof v === "number");
38
- return arr.length > 0 ? arr : null;
39
- }
40
- return typeof a.expected === "number" ? [a.expected] : null;
41
- }
42
-
43
- /**
44
- * Classify a failed step. Returns `null` for pass/skip/unclassifiable failures —
45
- * UI renders those as "unclassified" rather than crashing.
46
- */
47
- export function classifyFailure(result: StepResult): FailureClassification | null {
48
- if (result.status === "pass" || result.status === "skip") return null;
49
-
50
- // Network/runtime error before any HTTP response → env-side
51
- if (result.status === "error") {
52
- return {
53
- failure_class: "env_issue",
54
- failure_class_reason: result.error ?? "request failed before producing a response",
55
- };
56
- }
57
-
58
- const respStatus = result.response?.status;
59
- const provenance: SourceMetadata | null | undefined = result.provenance;
60
- const generator = typeof provenance?.generator === "string" ? provenance.generator : undefined;
61
- const failed = failedAssertionsOf(result);
62
-
63
- // 1. Backend 5xx — always a backend bug regardless of test intent.
64
- if (typeof respStatus === "number" && respStatus >= 500) {
65
- return {
66
- failure_class: "definitely_bug",
67
- failure_class_reason: `API returned ${respStatus} — server-side error`,
68
- };
69
- }
70
-
71
- // 2. Response did not match its OpenAPI schema — spec guarantees X, server returned ≠ X.
72
- const schemaFail = failed.find((a) => ruleStartsWith(a, "schema."));
73
- if (schemaFail) {
74
- return {
75
- failure_class: "definitely_bug",
76
- failure_class_reason: `Response violates OpenAPI schema at ${schemaFail.field}`,
77
- };
78
- }
79
-
80
- // 3. Mass-assignment probe: extras must not apply. A failed not_equals
81
- // assertion on this generator means the sentinel value leaked through.
82
- if (generator === "mass-assignment-probe") {
83
- const extrasLeak = failed.find(
84
- (a) => ruleStartsWith(a, "not_equals") || ruleStartsWith(a, "set_equals"),
85
- );
86
- if (extrasLeak) {
87
- return {
88
- failure_class: "definitely_bug",
89
- failure_class_reason: `Mass-assignment: client-supplied extras were accepted (${extrasLeak.field})`,
90
- };
91
- }
92
- }
93
-
94
- // 4. ARV-236: 401/403 on a step that expected success → env_issue
95
- // ("token_scope"). Surfaces narrowly-scoped tokens (Resend free plan,
96
- // GitHub PAT without `repo`, Stripe restricted key, etc.) so coverage
97
- // and triage don't tag them as fail. Only fires when the failing
98
- // assertion is on `status` and the expected status was 2xx — a real
99
- // "expect 403" test deliberately checking auth still classifies normally.
100
- if (typeof respStatus === "number" && (respStatus === 401 || respStatus === 403)) {
101
- const statusFail = failed.find((a) => a.field === "status");
102
- if (statusFail) {
103
- const expected = expectedStatusList(statusFail);
104
- const allExpected2xx = expected?.every((s) => s >= 200 && s < 300) ?? false;
105
- if (allExpected2xx) {
106
- return {
107
- failure_class: "env_issue",
108
- failure_class_reason: `token_scope: API returned ${respStatus} where the test expected ${expected!.join("/")} — token lacks scope or plan for this endpoint`,
109
- };
110
- }
111
- }
112
- }
113
-
114
- // 5. Negative-probe family — distinguish "API accepted bad input" (likely_bug)
115
- // from "API rejected with a different 4xx" (quirk).
116
- if (generator === "negative-probe" || generator === "method-probe") {
117
- const statusFail = failed.find((a) => a.field === "status");
118
- if (statusFail && typeof respStatus === "number") {
119
- const expected = expectedStatusList(statusFail);
120
- const allExpected4xx = expected?.every((s) => s >= 400 && s < 500) ?? false;
121
- if (allExpected4xx) {
122
- if (respStatus >= 200 && respStatus < 300) {
123
- return {
124
- failure_class: "likely_bug",
125
- failure_class_reason: `Negative probe expected 4xx, got ${respStatus} — API accepts invalid input`,
126
- };
127
- }
128
- if (respStatus >= 400 && respStatus < 500) {
129
- return {
130
- failure_class: "quirk",
131
- failure_class_reason: `Negative probe expected ${expected!.join("/")}, got ${respStatus} — different 4xx code`,
132
- };
133
- }
134
- }
135
- }
136
- }
137
-
138
- // Default: leave unclassified. UI / CLI render as "unclassified".
139
- return null;
140
- }
@@ -1,112 +0,0 @@
1
- /**
2
- * Failure classification → closed-enum `recommended_action`.
3
- * ARV-338: prose hints (statusHint/envHint/softDeleteHint/schemaHint,
4
- * env_issue clustering, auth_hint, agent_directive) removed — the agent
5
- * triages by enum + raw evidence, not by heuristic guess-text.
6
- */
7
-
8
- import { classify } from "../classifier/recommended-action.ts";
9
-
10
- export function classifyFailure(status: string, responseStatus: number | null): "api_error" | "assertion_failed" | "network_error" {
11
- if (status === "error" && (responseStatus === null || responseStatus < 500)) return "network_error";
12
- if (responseStatus !== null && responseStatus >= 500) return "api_error";
13
- return "assertion_failed";
14
- }
15
-
16
- export type RecommendedAction =
17
- | "report_backend_bug"
18
- | "fix_auth_config"
19
- | "fix_test_logic"
20
- | "fix_network_config"
21
- | "fix_env"
22
- /** Fix the OpenAPI spec — emitted by lint-spec.Issue (TASK-294) and
23
- * by `status_code_conformance` / `*_conformance` checks (ARV-11). */
24
- | "fix_spec"
25
- /** Add or correct a fixture in .env.yaml — emitted by discover for
26
- * miss-* states (TASK-294). */
27
- | "fix_fixture"
28
- /** ARV-42 — generator-emitted suite produced a body the API rejected
29
- * (4xx with validation hint). Editing the YAML is wrong: the next
30
- * `zond generate` would clobber it. Re-run generate (or refine the
31
- * spec/.api-resources hints) instead. */
32
- | "regenerate_suite"
33
- /** ARV-11 — server accepted an invalid request body. Backend should
34
- * reject earlier; the test isn't wrong. */
35
- | "tighten_validation"
36
- /** ARV-11 — server didn't enforce a header marked `required: true`
37
- * in the spec. Either enforce it, or drop `required` in the spec. */
38
- | "add_required_header"
39
- /** ARV-11 — known limitation that the team has accepted. Agents
40
- * should not retry, file a bug, or include in dashboards. */
41
- | "wontfix_known_limitation";
42
-
43
- export function recommendedAction(
44
- failureType: "api_error" | "assertion_failed" | "network_error",
45
- responseStatus: number | null,
46
- ): RecommendedAction {
47
- // ARV-56: delegate to the single classifier.
48
- const action = classify({
49
- finding_class: failureType === "api_error" ? "test:api_error" :
50
- failureType === "network_error" ? "test:network_error" : "test:assertion_failed",
51
- status: responseStatus,
52
- });
53
- // The three failure_type classes are total in the classifier — a missing
54
- // branch means a future refactor stripped one; surface loudly.
55
- if (!action) throw new Error(`classifier returned no action for failure_type=${failureType} status=${responseStatus}`);
56
- return action;
57
- }
58
-
59
- /**
60
- * ARV-42: extended recommender that knows whether the failing test was
61
- * emitted by `zond generate`. For generated suites, "fix_test_logic" is
62
- * actively misleading — the generated YAML carries the header
63
- * "⚠️ Edits will be overwritten on regenerate" and the next `zond audit`
64
- * really does clobber manual edits. Branch into the actually-actionable
65
- * remediation instead.
66
- *
67
- * - 4xx (400/422) → regenerate_suite: the body the generator emitted
68
- * didn't pass validation; either re-run generate (so newer heuristics
69
- * apply, e.g. ARV-38 default-string) or tighten .api-resources hints.
70
- * - 404 → fix_fixture: a path-param resolved to an empty / stale id
71
- * in .env.yaml; `prepare-fixtures --seed` is the correct remedy.
72
- * - everything else → falls back to recommendedAction (auth → 401/403,
73
- * api_error → 5xx, etc.).
74
- *
75
- * `isGenerated` is the heuristic from db-analysis: provenance.type
76
- * "openapi-generated" OR suite_file under apis/<api>/tests/.
77
- */
78
- export function recommendedActionForGenerated(
79
- failureType: "api_error" | "assertion_failed" | "network_error",
80
- responseStatus: number | null,
81
- isGenerated: boolean,
82
- schemaViolation = false,
83
- ): RecommendedAction {
84
- // ARV-56: delegate to classifier. `isGenerated` is encoded via a
85
- // synthetic suite_path so the same logic flows through classify().
86
- // ARV-103 (F8): `schemaViolation` propagates the assertion-kind flag —
87
- // when true, the classifier's "treat schema bugs like 5xx" branch wins
88
- // over the generator's regenerate_suite default.
89
- const action = classify({
90
- finding_class: failureType === "api_error" ? "test:api_error" :
91
- failureType === "network_error" ? "test:network_error" : "test:assertion_failed",
92
- status: responseStatus,
93
- ...(isGenerated ? { suite_path: "apis/_/tests/_.yaml" } : {}),
94
- ...(schemaViolation ? { schema_violation: true } : {}),
95
- });
96
- if (!action) throw new Error(`classifier returned no action for failure_type=${failureType} status=${responseStatus}`);
97
- return action;
98
- }
99
-
100
- /** ARV-42: classify a failing result row as generator-emitted. The two
101
- * signals are independent — provenance is missing on older runs, while
102
- * suite_file disambiguates against ad-hoc YAMLs the user dropped into
103
- * apis/<api>/tests/ themselves (rare but supported). */
104
- export function isGeneratedTest(
105
- provenance: { type?: string; generator?: string } | null | undefined,
106
- suite_file: string | null | undefined,
107
- ): boolean {
108
- if (provenance?.type === "openapi-generated") return true;
109
- if (provenance?.generator && provenance.generator.toLowerCase().includes("zond")) return true;
110
- if (typeof suite_file === "string" && /(^|\/)apis\/[^/]+\/tests\//.test(suite_file)) return true;
111
- return false;
112
- }
@@ -1,99 +0,0 @@
1
- /**
2
- * TASK-102: build a JSON Pointer (RFC 6901) into the OpenAPI document for the
3
- * response branch a step exercises, plus a small excerpt of the schema at that
4
- * pointer. The excerpt is captured at run time and frozen into the DB so that
5
- * later spec edits can't rewrite history.
6
- *
7
- * Inputs come from {@link SourceMetadata} populated by TASK-100:
8
- * - `endpoint` e.g. "POST /webhooks"
9
- * - `response_branch` e.g. "422" or "400|422" (first wins for the pointer)
10
- */
11
-
12
- import type { SourceMetadata } from "../parser/types.ts";
13
-
14
- export interface SpecPointer {
15
- pointer: string;
16
- excerpt: string;
17
- }
18
-
19
- const EXCERPT_MAX_BYTES = 500;
20
-
21
- function escapeJsonPointerSegment(s: string): string {
22
- return s.replace(/~/g, "~0").replace(/\//g, "~1");
23
- }
24
-
25
- function parseEndpoint(endpoint: string): { method: string; path: string } | null {
26
- const m = endpoint.match(/^([A-Z]+)\s+(\/.*)$/);
27
- if (!m) return null;
28
- return { method: m[1]!.toLowerCase(), path: m[2]! };
29
- }
30
-
31
- function pickPrimaryStatus(responseBranch: string | undefined): string | null {
32
- if (!responseBranch) return null;
33
- const first = responseBranch.split(/[|,\s]/).find((s) => /^\d{3}$/.test(s));
34
- return first ?? null;
35
- }
36
-
37
- function trimExcerpt(json: string): string {
38
- if (json.length <= EXCERPT_MAX_BYTES) return json;
39
- return json.slice(0, EXCERPT_MAX_BYTES) + "\n…[truncated]";
40
- }
41
-
42
- /**
43
- * Resolve the response operation in the OpenAPI document and produce a pointer
44
- * + frozen excerpt. Returns `null` if any link in the chain is missing — caller
45
- * persists `null` rather than crashing.
46
- */
47
- export function buildSpecPointer(
48
- source: SourceMetadata | null | undefined,
49
- openApiDoc: unknown,
50
- ): SpecPointer | null {
51
- if (!source || !openApiDoc || typeof openApiDoc !== "object") return null;
52
- if (typeof source.endpoint !== "string") return null;
53
-
54
- const parsed = parseEndpoint(source.endpoint);
55
- if (!parsed) return null;
56
- const status = pickPrimaryStatus(source.response_branch ?? undefined);
57
- if (!status) return null;
58
-
59
- const doc = openApiDoc as Record<string, unknown>;
60
- const paths = doc.paths as Record<string, unknown> | undefined;
61
- if (!paths || typeof paths !== "object") return null;
62
-
63
- const pathItem = paths[parsed.path] as Record<string, unknown> | undefined;
64
- if (!pathItem || typeof pathItem !== "object") return null;
65
-
66
- const operation = pathItem[parsed.method] as Record<string, unknown> | undefined;
67
- if (!operation || typeof operation !== "object") return null;
68
-
69
- const responses = operation.responses as Record<string, unknown> | undefined;
70
- if (!responses || typeof responses !== "object") return null;
71
-
72
- const response = (responses[status] ?? responses.default) as Record<string, unknown> | undefined;
73
- if (!response || typeof response !== "object") return null;
74
-
75
- const escapedPath = escapeJsonPointerSegment(parsed.path);
76
- let pointer = `#/paths/${escapedPath}/${parsed.method}/responses/${status}`;
77
- let excerptValue: unknown = response;
78
-
79
- // Drill into application/json schema when available — that's the most useful
80
- // surface for UI rendering ("backend promised X, returned Y").
81
- const content = response.content as Record<string, unknown> | undefined;
82
- if (content && typeof content === "object") {
83
- const jsonMedia = (content["application/json"] ?? content["application/json; charset=utf-8"]) as
84
- | Record<string, unknown>
85
- | undefined;
86
- if (jsonMedia && typeof jsonMedia === "object" && "schema" in jsonMedia) {
87
- pointer += "/content/application~1json/schema";
88
- excerptValue = jsonMedia.schema;
89
- }
90
- }
91
-
92
- let excerpt: string;
93
- try {
94
- excerpt = JSON.stringify(excerptValue, null, 2);
95
- } catch {
96
- excerpt = String(excerptValue);
97
- }
98
- return { pointer, excerpt: trimExcerpt(excerpt) };
99
- }
@@ -1,155 +0,0 @@
1
- /**
2
- * TASK-29: actionable "Suggested fixes" surfaces for `zond db diagnose`.
3
- *
4
- * The base diagnose envelope already classifies failures and wires
5
- * recommended_action. This layer adds two concrete, fixable signals that
6
- * the LLM agent can act on without a second round-trip:
7
- *
8
- * 1. Placeholder path-params on 404s — when a 404 hits a URL that still
9
- * contains literal example/placeholder values (`example`, all-zeros
10
- * UUID, `your-…-here`, `00000000-…`, …), surface the exact path
11
- * segment that's broken plus the variable name we'd expect (best-effort
12
- * from the segment shape).
13
- *
14
- * 2. Untilled .env.yaml keys — read the API's .env.yaml and flag values
15
- * that are empty, `<TODO>`, `example`, `null`, or look like
16
- * placeholders (`replace-me`, `your-...`). These block CRUD sweeps
17
- * silently — without them, the agent can't tell apart "value missing"
18
- * from "value present and wrong".
19
- */
20
- import { existsSync, readFileSync } from "node:fs";
21
- import { parse as parseYaml } from "yaml";
22
-
23
- export type SuggestedFixKind =
24
- | "placeholder_path_param"
25
- | "unfilled_env_key";
26
-
27
- export interface SuggestedFix {
28
- kind: SuggestedFixKind;
29
- /** When `kind=unfilled_env_key`: the key name. When `kind=placeholder_path_param`:
30
- * the path segment that looks like a placeholder. */
31
- key: string;
32
- message: string;
33
- /** File path the user should edit (usually the API's .env.yaml). */
34
- source?: string;
35
- /** Optional one-line example of what to put there. */
36
- example?: string;
37
- }
38
-
39
- const PLACEHOLDER_PATTERNS: Array<{ re: RegExp; reason: string }> = [
40
- { re: /^example$/i, reason: "literal `example`" },
41
- { re: /^placeholder$/i, reason: "literal `placeholder`" },
42
- { re: /^your-[\w-]+-here$/i, reason: "`your-…-here` placeholder" },
43
- { re: /^00000000-0000-0000-0000-0+(?:beef|dead|cafe|f00d|0+)$/i, reason: "all-zero / sentinel UUID" },
44
- { re: /^0+$/, reason: "all-zero numeric id" },
45
- { re: /^replace-me$/i, reason: "`replace-me` placeholder" },
46
- ];
47
-
48
- const ENV_PLACEHOLDER_PATTERNS: Array<{ re: RegExp; reason: string }> = [
49
- { re: /^<.*>$/, reason: "TODO / angle-bracket placeholder" },
50
- { re: /^example$/i, reason: "literal `example`" },
51
- { re: /^placeholder$/i, reason: "literal `placeholder`" },
52
- { re: /^your-[\w-]+-here$/i, reason: "`your-…-here` placeholder" },
53
- { re: /^replace-?me$/i, reason: "`replace-me` placeholder" },
54
- { re: /^<TODO>$/i, reason: "explicit TODO" },
55
- ];
56
-
57
- /** Identify path segments that look like placeholders. Used on 404 URLs. */
58
- export function detectPlaceholderSegments(url: string | null): Array<{ segment: string; reason: string }> {
59
- if (!url) return [];
60
- let pathname: string;
61
- try {
62
- pathname = url.startsWith("http") ? new URL(url).pathname : url.split("?")[0]!;
63
- } catch {
64
- pathname = url;
65
- }
66
- const out: Array<{ segment: string; reason: string }> = [];
67
- for (const seg of pathname.split("/").filter(Boolean)) {
68
- for (const { re, reason } of PLACEHOLDER_PATTERNS) {
69
- if (re.test(seg)) {
70
- out.push({ segment: seg, reason });
71
- break;
72
- }
73
- }
74
- }
75
- return out;
76
- }
77
-
78
- /** Read .env.yaml and return keys whose value is empty/null/placeholder-shaped. */
79
- export function findUnfilledEnvKeys(envFilePath: string | undefined): SuggestedFix[] {
80
- if (!envFilePath || !existsSync(envFilePath)) return [];
81
- let parsed: unknown;
82
- try {
83
- parsed = parseYaml(readFileSync(envFilePath, "utf-8"));
84
- } catch {
85
- return [];
86
- }
87
- if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return [];
88
-
89
- const out: SuggestedFix[] = [];
90
- for (const [key, val] of Object.entries(parsed as Record<string, unknown>)) {
91
- const reason = classifyEnvValue(val);
92
- if (reason) {
93
- out.push({
94
- kind: "unfilled_env_key",
95
- key,
96
- message: `\`${key}\` in ${envFilePath} is unfilled (${reason}). Set it to a real value before re-running.`,
97
- source: envFilePath,
98
- });
99
- }
100
- }
101
- return out;
102
- }
103
-
104
- function classifyEnvValue(val: unknown): string | null {
105
- if (val === null || val === undefined) return "null / missing";
106
- if (typeof val === "string") {
107
- const trimmed = val.trim();
108
- if (trimmed === "") return "empty string";
109
- for (const { re, reason } of ENV_PLACEHOLDER_PATTERNS) {
110
- if (re.test(trimmed)) return reason;
111
- }
112
- }
113
- return null;
114
- }
115
-
116
- export interface BuildSuggestedFixesInput {
117
- failures: Array<{
118
- response_status: number | null;
119
- request_url: string | null;
120
- suite_name: string;
121
- test_name: string;
122
- }>;
123
- envFilePath?: string;
124
- }
125
-
126
- /**
127
- * Combine placeholder-detection across all 404 failures + env-yaml audit
128
- * into a single deduplicated list of fixes the agent should apply before
129
- * re-running.
130
- */
131
- export function buildSuggestedFixes(input: BuildSuggestedFixesInput): SuggestedFix[] {
132
- const fixes: SuggestedFix[] = [];
133
- const seenSegments = new Set<string>();
134
-
135
- for (const f of input.failures) {
136
- if (f.response_status !== 404) continue;
137
- for (const ph of detectPlaceholderSegments(f.request_url)) {
138
- const dedupeKey = `seg:${ph.segment}`;
139
- if (seenSegments.has(dedupeKey)) continue;
140
- seenSegments.add(dedupeKey);
141
- fixes.push({
142
- kind: "placeholder_path_param",
143
- key: ph.segment,
144
- message:
145
- `404 on \`${f.request_url}\` — path segment \`${ph.segment}\` is a ${ph.reason}. ` +
146
- `Replace with a real id from the live API (e.g. \`zond prepare-fixtures --apply\`) ` +
147
- `or set the corresponding fixture in ${input.envFilePath ?? ".env.yaml"}.`,
148
- source: input.envFilePath,
149
- });
150
- }
151
- }
152
-
153
- fixes.push(...findUnfilledEnvKeys(input.envFilePath));
154
- return fixes;
155
- }